The malicious actors behind the IcedID banking trojan have branched out and are now using the malware to steal payment card credentials from online retailers and may have even become malware-as-a-service dealers.
The e-tailer attacks began in November 2018 and instead of grabbing customer banking information, IcedID is used to grab credentials and payment card data from victims, said Limor Kessem, Global Executive Security Advisor, IBM Security.These are then used to make purchases at the target retailer in the user’s name with their payment cards and since they have all the necessary information the threat actors can make purchases at other locations.
This new usage model was found by IBM Security during its on-going analysis of IcedID, which first came to light in September 2017. IcedID’s initial delivery method is still believed to be malspam and the Emotet trojan.
Interestingly, Kessem said the cybergang is pursuing this line of attack separately from its primary online bank fraud operations. This could mean they are either simply branching out looking for new revenue streams or renting or selling botnet sections to other criminals, turning it to a cybercrime-as-a-service operation, similar to the Gozi Trojan’s business model,” she said.
The idea of simply moving from banking to online commerce makes a great deal of sense. Traditionally when a cybergang looks to increase its thieving ability it expands into new geographical areas. However, Kessem pointed out it is less expensive and labor intensive to stay in one place, in this case North America, and simply use the tools at hand to steal from a different source.
IBM has a complete rundown on how the malware operates here.
This is a trend Kessem and IBM expects will continue in 2019.